A digital certificate issued by a certificate authority (CA) is able to be stored on or bound to a local computing device through the use of a Cryptographic Service Provider (CSP) or a Public-Key Cryptography Standards (PKCS) module (both hereinafter referred to as “cryptographic service modules” or CSMs). The local computing device may use the certificate to engage in trusted transactions or trusted communications with computer applications (referred to as “challenger applications”) that challenge the authenticity of the local computing device or its user. For example, a challenger application may verify the signature of the CA associated with a certificate and allow a trusted transaction or trusted communication based on the verification.
Each digital certificate provides information that identifies the CSM (e.g., by name) used to bind the certificate on the local computing device. However, simply identifying a given CSM does not enable a challenger application to establish trust unless the challenger application has prior knowledge (e.g., hard-coded information) regarding the given CSM and/or the cryptographic token (i.e., the module that performs the cryptography) used by the given CSM. Even if a challenger application has prior knowledge of the given CSM and/or the token that is used by the given CSM, establishing trust based on prior knowledge is not easily scalable (i.e., accounting for new CSMs or tokens is problematic) nor dynamic (i.e., accounting for switches from a CSM or token to another CSM or token is problematic).